Enable codecov coverage checks

[kdacosta0]

Summary

• Adds a GitHub Actions workflow (.github/workflows/code-coverage.yml) that runs Python tests with coverage via Hatch on every PR and push to main, then uploads the report to Codecov.
• Adds codecov.yml with coverage status thresholds:
  • Patch coverage: 70% target with 5% threshold — new/changed lines in a PR must maintain at least 70% coverage (with 5% tolerance before the check fails).
  • Project coverage: auto target, informational only — tracks overall project coverage trend without blocking PRs.
• Adds coverage.xml and htmlcov/ to .gitignore to keep generated coverage artifacts out of version control.

Setup Required

CODECOV_TOKEN must be configured as a repository secret in GitHub. Without this token, the Codecov upload step will fail (fail_ci_if_error: true). Repository admins should:

1. Create an account/project at codecov.io for this repository
2. Copy the upload token
3. Add it as a repository secret named CODECOV_TOKEN in GitHub Settings > Secrets and variables > Actions

Test Plan

• Verify the Code Coverage workflow triggers on PRs targeting main
• Verify coverage.xml and htmlcov/ are listed in .gitignore and not tracked by git
• Verify Codecov receives the coverage report after a successful workflow run
• Verify Codecov PR status checks appear (patch and project)

Implements SECURESIGN-4375

[codecov-commenter]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️